You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pdfbox.apache.org by ti...@apache.org on 2024/04/03 14:22:24 UTC

svn commit: r1916785 - /pdfbox/branches/3.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java

Author: tilman
Date: Wed Apr  3 14:22:23 2024
New Revision: 1916785

URL: http://svn.apache.org/viewvc?rev=1916785&view=rev
Log:
PDFBOX-5798: use MessageDigest.isEqual() to prevent timing attacks

Modified:
    pdfbox/branches/3.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java

Modified: pdfbox/branches/3.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java
URL: http://svn.apache.org/viewvc/pdfbox/branches/3.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java?rev=1916785&r1=1916784&r2=1916785&view=diff
==============================================================================
--- pdfbox/branches/3.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java (original)
+++ pdfbox/branches/3.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java Wed Apr  3 14:22:23 2024
@@ -633,12 +633,12 @@ public final class StandardSecurityHandl
 
         if (encRevision == REVISION_5)
         {
-            return Arrays.equals(computeSHA256(truncatedOwnerPassword, oValidationSalt, user),
+            return MessageDigest.isEqual(computeSHA256(truncatedOwnerPassword, oValidationSalt, user),
                     oHash);
         }
         else
         {
-            return Arrays.equals(computeHash2A(truncatedOwnerPassword, oValidationSalt, user),
+            return MessageDigest.isEqual(computeHash2A(truncatedOwnerPassword, oValidationSalt, user),
                     oHash);
         }
     }
@@ -1027,12 +1027,12 @@ public final class StandardSecurityHandl
                                                    length, encryptMetadata);
         if (encRevision == REVISION_2)
         {
-            return Arrays.equals(user, passwordBytes);
+            return MessageDigest.isEqual(user, passwordBytes);
         }
         else
         {
             // compare first 16 bytes only
-            return Arrays.equals(Arrays.copyOf(user, 16), Arrays.copyOf(passwordBytes, 16));
+            return MessageDigest.isEqual(Arrays.copyOf(user, 16), Arrays.copyOf(passwordBytes, 16));
         }
     }
 
@@ -1054,7 +1054,7 @@ public final class StandardSecurityHandl
             hash = computeHash2A(truncatedPassword, uValidationSalt, null);
         }
 
-        return Arrays.equals(hash, uHash);
+        return MessageDigest.isEqual(hash, uHash);
     }
 
     /**